aboutsummaryrefslogtreecommitdiffstats
path: root/catalog-fe
diff options
context:
space:
mode:
authorvasraz <vasyl.razinkov@est.tech>2021-10-21 17:32:16 +0100
committerMichael Morris <michael.morris@est.tech>2021-11-15 11:50:33 +0000
commitb08ac296b31f001c946b1371f213ac302ff9c12e (patch)
tree3be6bcc7c025a82ec15fc35061f5f0e7dc024aeb /catalog-fe
parent7353fb39790b51c593cb0f72c6ab46d906758244 (diff)
Fix critical cross site scripting
Change-Id: I66a220f71a2e950055107a725191b46bcbe8c6a6 Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech> Issue-ID: SDC-3607 Issue-ID: SDC-3755
Diffstat (limited to 'catalog-fe')
-rw-r--r--catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java14
-rw-r--r--catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java16
2 files changed, 15 insertions, 15 deletions
diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
index 6378b996cf..228f65db85 100644
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
@@ -113,7 +113,7 @@ public class PortalServlet extends HttpServlet {
* @throws IOException
*/
private void addRequestHeadersUsingWebseal(final HttpServletRequest request, final HttpServletResponse response)
- throws ServletException, IOException {
+ throws ServletException, IOException, CipherUtilException {
response.setContentType("text/html");
// Create new request object to dispatch
MutableHttpServletRequest mutableRequest = new MutableHttpServletRequest(request);
@@ -170,7 +170,6 @@ public class PortalServlet extends HttpServlet {
getValueFromCookie(request, Constants.HTTP_CSP_FIRSTNAME);
getValueFromCookie(request, Constants.HTTP_CSP_LASTNAME);
//To be fixed
-
//addAuthCookie(response, userId, firstNameFromCookie, lastNameFromCookie);
RequestDispatcher rd = request.getRequestDispatcher("index.html");
rd.forward(mutableRequest, response);
@@ -180,7 +179,7 @@ public class PortalServlet extends HttpServlet {
}
boolean addAuthCookie(HttpServletResponse response, String userId, String firstName, String lastName) throws IOException {
- boolean isBuildCookieCompleted = true;
+ boolean isBuildCookieCompleted = false;
Cookie authCookie = null;
Configuration.CookieConfig confCookie = ConfigurationManager.getConfigurationManager().getConfiguration().getAuthCookie();
//create authentication and send it to encryption
@@ -188,9 +187,9 @@ public class PortalServlet extends HttpServlet {
try {
AuthenticationCookie authenticationCookie = new AuthenticationCookie(userId, firstName, lastName);
String cookieAsJson = RepresentationUtils.toRepresentation(authenticationCookie);
- encryptedCookie = org.onap.sdc.security.CipherUtil.encryptPKC(cookieAsJson, confCookie.getSecurityKey());
+ encryptedCookie = CipherUtil.encryptPKC(cookieAsJson, confCookie.getSecurityKey());
+ isBuildCookieCompleted = true;
} catch (Exception e) {
- isBuildCookieCompleted = false;
log.error(" Cookie Encryption failed ", e);
}
authCookie = new Cookie(confCookie.getCookieName(), encryptedCookie);
@@ -243,12 +242,13 @@ public class PortalServlet extends HttpServlet {
* @param request
* @param headers
*/
- private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers) {
+ private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers)
+ throws CipherUtilException {
for (var i = 0; i < headers.length; i++) {
final var currHeader = ValidationUtils.sanitizeInputString(headers[i]);
final var headerValue = ValidationUtils.sanitizeInputString(request.getHeader(currHeader));
if (headerValue != null) {
- final var cookie = new Cookie(currHeader, headerValue);
+ final var cookie = new Cookie(currHeader, CipherUtil.encryptPKC(headerValue));
cookie.setSecure(true);
response.addCookie(cookie);
}
diff --git a/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java b/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java
index b31b2f970e..11a4aecede 100644
--- a/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java
+++ b/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java
@@ -55,14 +55,14 @@ import org.openecomp.sdc.fe.config.ConfigurationManager;
class PortalServletTest extends JerseyTest {
- private final static HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- private final static HttpSession httpSession = Mockito.mock(HttpSession.class);
- private final static ServletContext servletContext = Mockito.mock(ServletContext.class);
- private final static ConfigurationManager configurationManager = Mockito.mock(ConfigurationManager.class);
- private final static Configuration configuration = Mockito.mock(Configuration.class);
- private final static HttpServletResponse response = Mockito.spy(HttpServletResponse.class);
- private final static RequestDispatcher rd = Mockito.spy(RequestDispatcher.class);
- final static Configuration.CookieConfig cookieConfiguration = Mockito.mock(Configuration.CookieConfig.class);
+ private static final HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ private static final HttpSession httpSession = Mockito.mock(HttpSession.class);
+ private static final ServletContext servletContext = Mockito.mock(ServletContext.class);
+ private static final ConfigurationManager configurationManager = Mockito.mock(ConfigurationManager.class);
+ private static final Configuration configuration = Mockito.mock(Configuration.class);
+ private static final HttpServletResponse response = Mockito.spy(HttpServletResponse.class);
+ private static final RequestDispatcher rd = Mockito.spy(RequestDispatcher.class);
+ private static final Configuration.CookieConfig cookieConfiguration = Mockito.mock(Configuration.CookieConfig.class);
@SuppressWarnings("serial")
@BeforeAll